Cyber Essentials: your first line of defence

Companies, organisations and individuals all need to protect systems, data and so on from attack. These systems and data are constantly being probed for weaknesses, whether you’re aware of it or not. Even your home broadband or cable connection will be regularly probed by attackers on the Internet.

Attacks are either random – almost drive-by – or targeted, but they are happening constantly. In order to ensure these attacks are not successful, controls need to be in place either under a formal information security management system (ISMS) or a more informal approach.

So, how do you start with cyber security? One part of this is to understand something about the attacks. The majority of attacks faced by an organisation are the random probes from low-skilled attackers or automated tools looking for well-known vulnerabilities in people, processes and technology. These attacks are the easiest to prevent; those conducted by skilled attackers against specific targets are the hardest to defend from; and advanced persistent threat (APT) attacks are the most difficult to prevent.

We know we need to protect ourselves, but how is this achieved? The answer is simple: implement controls that are based on agreed best practice. As with all simple answers, it is actually often not that the simple. We have to identify those best practices and then implement them within our organisations so they are part of our daily routine or ‘business as usual’ (BAU).

Standards such as Cyber Essentials, 10 Steps to Cyber Security, ISO 27001 and the PCI DSS – among others – are based on best practice, so are a good place to start with implementing cyber security.

What is Cyber Essentials?

As part of its drive to get the country protected from cyber threats, the UK Government developed the Cyber Essentials scheme as the lowest rung on the cyber security ladder. The scheme was developed by organisations such as CESG and CREST, among others. It is designed to help protect organisations from the threats posed by low-skilled attackers and automated tools by ensuring basic hygiene controls are implemented.

It is not the silver bullet to defeat all cyber threats, but all the controls within it are the foundation of all measures to protect you and your organisation.

It concentrates on five key controls[1]:

  1. Boundary firewalls and Internet gateways – these are devices designed to prevent unauthorised access to or from private networks, but properly setting up these devices either in hardware or software form is necessary for them to be fully effective.
  2. Secure configuration – ensuring that systems are configured in the most secure way for the needs of the organisation.
  3. Access control – ensuring only those who should have access to systems do have access and at the appropriate level.
  4. Malware protection – ensuring that virus and malware protection is installed and up to date.
  5. Patch management – ensuring the latest supported versions of applications are used, and that all necessary patches supplied by the vendor have been applied.

The scheme focuses on Internet-facing systems because they are more exposed. Equally, the people within your organisation are also directly exposed to attacks from the Internet as they browse the web and receive emails.

Getting started with cyber security

To get started with cyber security, you will need to identify the technology within your organisation and implement the best practices for securing it. You need to modify your processes to ensure the controls are implemented, used on a continual basis, and ensure these processes and controls are working by monitoring and auditing them. Finally, and most importantly, you need to educate your users about cyber threats, cyber security, the controls to use and the importance of using them, along with the penalties and consequences of not following them.

If you are implementing cyber security for the first time, you will need to build secure foundations by implementing the controls within the Cyber Essentials requirements document[2] and then use the Cyber Essentials Assurance Framework[3] to get assurance that the controls are correctly implemented.

Getting certified

There are a number of accreditation bodies, each of which accredits the certification bodies beneath them. Each accreditation body takes a different approach to assessing compliance with the scheme. As a potential applicant, you will need to select a certification body that offers a solution that gives you and your clients assurance that you meet the requirements of the scheme. The certification body should also have a process to simplify your application for Cyber Essentials certification.

The typical process is to contact a certification body and get details of how they operate their certification scheme, get the questionnaire that they use, answer the questions and define the scope of applicability of the certification. For most SMEs, the scope will be the whole of the organisation; larger organisations, meanwhile, generally want to certify part of the business, such as a division or a single company within a group. This is permitted as long as the in-scope entity has sufficient network segmentation and management responsibility from the rest of the business to meet the requirements defined in the scheme.

If you want to know more about Cyber Essentials, how it strengthens your company’s cyber security and improves businesses efficiency, download this free guide.

What’s next?

Once you comply with the Cyber Essentials and have gained the certificate, you will need to maintain the controls. Annual recertification to the scheme is a good way of assuring stakeholders that the controls are maintained. You can also move ahead with cyber security by implementing the UK Government’s 10 Steps to Cyber Security, ISO 27001 and/or other standards, such as the PCI DSS, along with additional best practices published by a number of organisations and bodies.

[1] Cyber Essentials Scheme Summary, https://www.cyberaware.gov.uk/cyberessentials/files/scheme-summary.pdf

[2] Cyber Essentials Scheme Requirements, https://www.cyberaware.gov.uk/cyberessentials/files/assurance-framework.pdf

[3] Cyber Essentials Scheme Assurance Framework, https://www.cyberaware.gov.uk/cyberessentials/files/assurance-framework.pdf